Perl now supports the final version of Unicode 6.2.
Earlier releases in the 5.17 series supported Unicode 6.2 beta versions.
There were no substantive changes in the final Unicode 6.2 version from the most recent beta,
included in Perl 5.17.4.
A list of changes from Unicode 6.1 is at http://www.unicode.org/versions/Unicode6.2.0.

Poorly written perl code that allows an attacker to specify the count to perl's x string repeat operator can already cause a memory exhaustion denial-of-service attack.
A flaw in versions of perl before 5.15.5 can escalate that into a heap buffer overrun; coupled with versions of glibc before 2.16,
it possibly allows the execution of arbitrary code.

The flaw addressed to this commit has been assigned identifier CVE-2012-5195.

Unicode has now withdrawn their previous recommendation for regular expressions to automatically handle cases where a single character can match multiple characters case-insensitively; for example,
the letter LATIN SMALL LETTER SHARP S and the sequence ss.
This is because it turns out to be impracticable to do this correctly in all circumstances.
Because Perl has tried to do this as best it can,
it will continue to do so.
(We are considering an option to turn it off.) However,
a new restriction is being added on such matches when they occur in [bracketed] character classes.
People were specifying things such as /[\0-\xff]/i,
and being surprised that it matches the two character sequence ss (since LATIN SMALL LETTER SHARP S occurs in this range).
This behavior is also inconsistent with the using a property instead of a range: \p{Block=Latin1} also includes LATIN SMALL LETTER SHARP S,
but /[\p{Block=Latin1}]/i does not match ss.
The new rule is that for there to be a multi-character case-insensitive match within a bracketed character class,
the character must be explicitly listed,
and not as an end point of a range.
This more closely obeys the Principle of Least Astonishment.
See "Bracketed Character Classes" in perlrecharclass.
Note that a bug [perl #89774],
now fixed as part of this change,
prevented the previous behavior from working fully.

B::Deparse has been upgraded from version 1.17 to 1.18.
It no longer dies when deparsing sort without arguments.
It now correctly omits the comma for system $prog @args and exec $prog @args.

bignum,
bigint and bigrat have been upgraded from version 0.30 to 0.31.
The overrides for hex and oct have been rewritten,
eliminating several problems,
and making one incompatible change:

Formerly,
whichever of use bigint or use bigrat was compiled later would take precedence over the other,
causing hex and oct not to respect the other pragma when in scope.

Using any of these three pragmata would cause hex and oct anywhere else in the program to evalute their arguments in list context and prevent them from inferring $_ when called without arguments.

Using any of these three pragmata would make oct("1234") return 1234 (for any number not beginning with 0) anywhere in the program.
Now "1234" is translated from octal to decimal,
whether within the pragma's scope or not.

The global overrides that facilitate lexical use of hex and oct now respect any existing overrides that were in place before the new overrides were installed,
falling back to them outside of the scope of use bignum.

use bignum "hex",
use bignum "oct" and similar invocations for bigint and bigrat now export a hex or oct function,
instead of providing a global override.

Carp has been upgraded from version 1.26 to 1.27.
The longmess() and shortmess() functions are now documented.

File::Glob has been upgraded from version 1.17 to 1.18.
A space-separated list of patterns return long lists of results no longer results in memory corruption or crashes.
This bug was introduced in Perl 5.16.0.
[perl #114984]

HTTP::Tiny has been upgraded from version 0.022 to 0.024.
This improves SSL support.

PerlIO::encoding has been upgraded from version 0.15 to 0.16.
This is the module implementing the ":encoding(...)" I/O layer.
It no longer corrupts memory or crashes when the encoding back-end reallocates the buffer or gives it a typeglob or shared hash key scalar.

The error produced when a module cannot be loaded now includes a hint that the module may need to be installed: "Can't locate hopping.pm in @INC (you may need to install the hopping module) (@INC contains: ...)"

Case-insensitive matching inside a [bracketed] character class with a multi-character fold,
no longer excludes one of the possibilities in the circumstances that it used to.
[perl #89774].

PL_formfeed has been removed.

The regular expression engine no longer reads one byte past the end of the target string.
While for all internally well-formed scalars this should never have been a problem,
this change facilitates clever tricks with string buffers in CPAN modules.
[perl #73542]

Inside a BEGIN block,
PL_compcv now points to the currently-compiling subroutine,
rather than the BEGIN block itself.

mg_length has been deprecated.

sv_len now always returns a byte count and sv_len_utf8 a character count.
Previously,
sv_len and sv_len_utf8 were both buggy and would sometimes returns bytes and sometimes characters.
sv_len_utf8 no longer assumes that its argument is in UTF8.
Neither of these creates UTF8 caches for tied or overloaded values or for non-PVs any more.

RXf_SPLIT and RXf_SKIPWHITE are no longer used.
They are now #defined as 0.

The new RXf_MODIFIES_VARS flag can be set by custom regular expression engines to indicate that the execution of the regular expression may cause variables to be modified.
This lets s/// know to skip certain optimisations.
Perl's own regular expression engine sets this flag for the special backtracking verbs that set $REGMARK and $REGERROR.

dump,
goto,
last,
next,
redo or require followed by a bareword (or version) and then an infix operator is no longer a syntax error.
It used to be for those infix operators (like +) that have a different meaning where a term is expected.
[perl #105924]

defined scalar(@array),
defined do { &foo },
and similar constructs now treat the argument to defined as a simple scalar.
[perl #97466]

Running a custom debugging that defines no *DB::DB glob or provides a subroutine stub for &DB::DB no longer results in a crash,
but an error instead.
[perl #114990]

reset "" now matches its documentation.
reset only resets m?...? patterns when called with no argument.
An empty string for an argument now does nothing.
(It used to be treated as no argument.) [perl #97958]

printf with an argument returning an empty list no longer reads past the end of the stack,
resulting in erratic behaviour.
[perl #77094]

$tied =~ s/$non_utf8/$utf8/ no longer loops infinitely if the tied variable returns a Latin-1 string,
shared hash key scalar,
or reference or typeglob that stringifies as ASCII or Latin-1.
This is a regression from 5.12.x.

s/// without /e is now better at detecting when it needs to forego certain optimisations,
fixing some buggy cases:

An empty pattern (s//$foo/) that causes the last-successful pattern to be used,
when that pattern contains code blocks that modify the variables in the replacement.

The taintedness of the replacement string no longer affects the taintedness of the return value of s///e.

The $| autoflush variable is created on-the-fly when needed.
If this happened (e.g.,
if it was mentioned in a module or eval) when the currently-selected filehandle was a typeglob with an empty IO slot,
it used to crash.
[perl #115206]

Line numbers at the end of a string eval are no longer off by one.
[perl #114658]

@INC filters (subroutines returned by subroutines in @INC) that set $_ to a copy-on-write scalar no longer cause the parser to modify that string buffer in place.

length($object) no longer returns the undefined value if the object has string overloading that returns undef.
[perl #115260]

The use of PL_stashcache,
the stash name lookup cache for method calls,
has been restored,

Commit da6b625f78f5f133 in August 2011 inadvertently broke the code that looks up values in PL_stashcache.
As it's a only cache,
quite correctly everything carried on working without it.

The list above is almost certainly incomplete as it is automatically generated from version control history.
In particular,
it does not include the names of the (very much appreciated) contributors who reported issues to the Perl bug tracker.

Many of the changes included in this version originated in the CPAN modules included in Perl's core.
We're grateful to the entire CPAN community for helping Perl to flourish.

For a more complete list of all of Perl's historical contributors,
please see the AUTHORS file in the Perl source distribution.

If you find what you think is a bug,
you might check the articles recently posted to the comp.lang.perl.misc newsgroup and the perl bug database at http://rt.perl.org/perlbug/ .
There may also be information at http://www.perl.org/ ,
the Perl Home Page.

If you believe you have an unreported bug,
please run the perlbug program included with your release.
Be sure to trim your bug down to a tiny but sufficient test case.
Your bug report,
along with the output of perl -V,
will be sent off to perlbug@perl.org to be analysed by the Perl porting team.

If the bug you are reporting has security implications,
which make it inappropriate to send to a publicly archived mailing list,
then please send it to perl5-security-report@perl.org.
This points to a closed subscription unarchived mailing list,
which includes all the core committers,
who will be able to help assess the impact of issues,
figure out a resolution,
and help co-ordinate the release of patches to mitigate or fix the problem across all platforms on which Perl is supported.
Please only use this address for security issues in the Perl core,
not for modules independently distributed on CPAN.